The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia have developed a guide titled Getting Accountability Right with a Privacy Management Program. The guide aims to help organizations implement an effective privacy management program that meets private-sector privacy legislation and to provide consistent direction on what it means to be an accountable organization when dealing with individuals’ personal information, accountability being the first and foremost obligation under privacy legislation.

These guidelines will help businesses take data protection from policy to practice, explained BC Information and Privacy Commissioner, Elizabeth Denham.

These guidelines come after privacy commissioners had to investigate several technical breaches of privacy laws.

Recently, the Office of the Privacy Commissioner also conducted several audits of how federal institutions are managing the personal information they hold, which includes identity information. The OPC looked at the institutions’ privacy management frameworks: how they organize themselves through structures, policies, systems and procedures to distribute privacy responsibilities, coordinate privacy work, manage privacy risks, and ensure compliance with the federal Privacy Act. The audit report can be consulted here.

Privacy management risks

Canadians are becoming more concerned about the online information practices of organizations and government bodies they deal with. Individuals also consider the privacy protections that companies offer before they do business with them, especially the companies that handle their sensitive information. Many customers will stop doing business with companies if they hear or read in the media that a company has mishandled, improperly used or disclosed or lost their customers personal information.

Organizations should understand the management and reputational risk and loss of customer trust that can happen if they are not clear about how they process information.

“Privacy risk” has been defined by some to mean the chance that your data may be used in ways you don’t expect.

The risks include (this list is not exhaustive):

Organizations using inaccurate customer data to make decisions and serve content

Customers lacking understanding of how to request organizations correct their data (in violation of privacy law)

Organizations lack of understanding of privacy laws

Loss of personal data

Privacy breaches, malware or spyware attacks

Excessive privilege or access rights

Employee negligence, internal fraud for financial gain

System vulnerabilities

Improper disclosures

Discrimination against certain persons or groups who might, for example, be excluded from special offers based on their customer profiles

Guidelines that organizations can follow and suggested by the OPC and the OIPCs of Alberta and British Columbia are based on sound personal information protection principles, which include: notice and choice, education, transparency, control, data security, material changes, sensitive data and most of all accountability. Organizations that take these principles into account when they develop their data collection, and use and disclosure policies and procedures, will be better able to avoid the risks.

Hence, public- and private-sector businesses and organizations need a robust privacy management framework if they are to achieve their program objectives and observe best privacy practices and be accountable.

According to the guide:

Accountability in relation to privacy is the acceptance of responsibility for personal information protection. An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws. Done properly, it should promote trust and confidence on the part of consumers, and thereby enhance competitive and reputational advantages for organizations.

Hence, privacy management is not about just making your information technology infrastructure secure but making privacy part of your business ethics and culture. It entails taking the right steps to safeguard your organization, your clients and customers by ensuring your business complies fully with privacy laws and ensuring that privacy protection is a key consideration in any department, project, transaction, business activities and operations in your organization. In turn, it means identifying a clear accountability for privacy issues so that it is incorporated into the role of all employees, executives, decision-makers in your company.